Bugtraq in Japanese
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability Jun 05 2003 04:36PM
Eiji James Yoshida (ptrs-ejy bp iij4u or jp)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
~~~~~~~~~~~~~~~~~
Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability
[http://www.geocities.co.jp/SiliconValley/1667/advisory07.html]

Date:
~~~~~~~~~~~~~~~~~
2003$BG/(B6$B7n(B5$BF|(B

Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy (at) bp.iij4u.or (dot) jp [email concealed]]

Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP3 Internet Explorer 6.0 SP1

Overview:
~~~~~~~~~~~~~~~~~
$B$3$N@H<e@-$rMxMQ$9$k$3$H$G?/F~<T$O%f!<%6L>$r?dB,$7$J$/$F$b!"(B
$B%f!<%6L>$b4^$a$?(B%USERPROFILE%$B$KE~C#$9$k$3$H$,$G$-$^$9!#(B

($BNc(B) %USERPROFILE% = "C:\Documents and Settings\victim"

Details:
~~~~~~~~~~~~~~~~~
$B$3$N@H<e@-$O!V%5!<%P!<$,8+$D$+$j$^$;$s!W$H$$$&%(%i!<%Z!<%8$NI=<($K(B

$BLdBj$,$"$j$^$9!#(B
$B$3$N!V%5!<%P!<$,8+$D$+$j$^$;$s!W$H$$$&%(%i!<%Z!<%8$N%"%I%l%9$O2<5-$ND
L$j$G$9!#(B

"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and
Settings\%USERNAME%\Desktop\ftp:\\%@\".

dnserror.htm$B$N8e$,(B%USERPROFILE%$B$N%Q%9$HF1$8$3$H$+$i!"!V(B../$
B!W$rIU$12C$($k$3$H$G!"(B
$B%G%#%l%/%H%j$r0\F0$9$k$3$H$,2DG=$G$9!#(B

$B$b$72?$i$+$N%a!<%i$d%V%i%&%6$H$$$C$?%"%W%j%1!<%7%g%s$,0l;~J]B8%U%!%$%
k$r(B%TEMP%
$B$KJ]B8$9$k>l9g!"0-0U$N$"$k%U%!%$%k$r0l;~J]B8%U%!%$%k$H$7$F(B%TEMP%$
B$KJ]B8$5$;$F!"(B
$B$3$N@H<e@-$rMQ$$$F(B%TEMP%$B$KJ]B8$5$l$?0-0U$N$"$k%U%!%$%k$r<B9T$9$
k$3$H$,$G$-$^$9!#(B

$B2a5n$NH/8+$5$l$?@H<e@-$N$J$+$K$O(B%USERPROFILE%$B$K4^$^$l$F$$$k%f!<
%6L>$r?dB,$7$J$$$H(B
%TEMP%$B$K$^$G$?$I$jCe$1$J$$$3$H$+$i!"(BWindows2000$B0J9_$G$O$=$l$[$I
4m81$J@H<e@-$G$O$J$$(B
$B$HH=CG$5$l$F$7$^$&$3$H$,$"$j$^$7$?!#$7$+$7!"$3$N@H<e@-$r;H$&$3$H$G%f!
<%6L>$r?dB,(B
$B$7$J$/$F$b(B%TEMP%$B$K$^$G$?$I$jCe$1$k2DG=@-$,$"$j$^$9!#(B

Exploit code:
~~~~~~~~~~~~~~~~~
$B2>$K2<5-$N(Bexploit.html$B%U%!%$%k$,0l;~J]B8%U%!%$%k$H$7$F(B%TEMP%
$B$KJ]B8$5$l$k$H$7$^$9!#(B
* $B@H<e@-$r8!>Z$5$l$kJ}$O<+J,$N(B%TEMP%$B$K(Bexploit.html$B$rJ]B8$7$
F$/$@$5$$!#(B

exploit.html
[http://www.geocities.co.jp/SiliconValley/1667/exploit.html]

exploit.html$B$,0l;~J]B8$5$l$?%f!<%6$,0-0U$N$"$k%5%$%H$G2<5-$N(Bftpexp
.html$B$N$h$&$J(B
Web$B%Z!<%8$N%j%s%/@h$rI=<($9$k$H!"(Bnotepad.exe$B$,5/F0$5$l$^$9!#(B

* $B@H<e@-$r8!>Z$5$l$kJ}$O(Bftpexp.html$B$r(BIE$B$GI=<($7$F(BExploit
$B%j%s%/$r%/%j%C%/$7$F$/$@$5$$!#(Bnotepad.exe$B$,5/F0$5$l$^$9!#(B

ftpexp.html
[http://www.geocities.co.jp/SiliconValley/1667/ftpexp.html]

$B$3$N@H<e@-$OC1BN$G$OCWL?E*$J7k2L$r>7$/$3$H$OL5$$$H;W$o$l$^$9$,!"0l;~J
]B8%U%!%$%k$r(B
$BMF0W$K?dB,$G$-$kL>>N$GJ]B8$9$k$h$&$J%"%W%j%1!<%7%g%s$,$"$k>l9g$O!"(B
exploit.html$B$H(B
ftpexp.html$B$N$h$&$JAH$_9g$o$;$GG$0U$N%U%!%$%k$r<B9T$5$l$k4m81@-$,$"$j
$^$9!#(B

Workaround:
~~~~~~~~~~~~~~~~~
$BITL@(B

Vendor Status:
~~~~~~~~~~~~~~~~~
$B%^%$%/%m%=%U%H$K$O(B2002$BG/(B11$B7n(B7$BF|$KJs9p$7$^$7$?!#(B
$B$=$N8e!"%a!<%k$K$FOC$79g$$$r9T$$$^$7$?$,!"4m81EY$dBP>]$H$J$k@=IJ$N%P!
<%8%g%s$,(B
$B>/$J$$$3$H$r9M$($k$H!"%W%i%$%*%j%F%#$r>e$2$FFHN)$7$?=$@5%W%m%0%i%`$H$
7$F8x3+$9$k(B
$B;v$O8+9g$o$;$?$$$H$NO"Mm$r<u$1$^$7$?!#$7$+$7$J$,$i!"4{$K$3$NLdBj$O%P%
0$H$7$FEPO?(B
$B$5$l$F$*$j!";~4|$OL@3N$G$O$"$j$^$;$s$,=$@5$9$kJ}8~$K$"$k$H$N$3$H$G$9!
#(B

- ------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: ptrs-ejy (at) bp.iij4u.or (dot) jp [email concealed]
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPt9wcffWv13kjJq0EQImAwCguauJJuXlsXkuqOHDQaFd2ECzWdsAnRUl
6ZUHbk5okMsSXBnIU42xbtVv
=YRbb
-----END PGP SIGNATURE-----

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus